def post(self, board):
"""Create a new board.
:param board: A board within the request body.
"""
board_dict = board.as_dict()
user_id = request.current_user_id
if board.creator_id and board.creator_id != user_id:
abort(400, _("You can't select the creator of a board."))
board_dict.update({"creator_id": user_id})
lanes = board_dict.pop('lanes') or []
owners = board_dict.pop('owners')
users = board_dict.pop('users')
if not owners:
owners = [user_id]
if not users:
users = []
# We can't set due dates when creating boards at the moment.
if 'due_dates' in board_dict:
del board_dict['due_dates']
created_board = boards_api.create(board_dict)
events_api.board_created_event(created_board.id, user_id,
created_board.title,
created_board.description)
for lane in lanes:
del lane.worklist
boards_api.add_lane(created_board, lane.as_dict(omit_unset=True))
events_api.board_lanes_changed_event(created_board.id,
user_id,
added=serialize_lane(lane))
edit_permission = {
'name': 'edit_board_%d' % created_board.id,
'codename': 'edit_board',
'users': owners
}
move_permission = {
'name': 'move_cards_%d' % created_board.id,
'codename': 'move_cards',
'users': users
}
edit = boards_api.create_permission(created_board.id, edit_permission)
move = boards_api.create_permission(created_board.id, move_permission)
event_owners = [{
id: users_api.user_get(id).full_name
} for id in owners]
event_users = [{id: users_api.user_get(id).full_name} for id in users]
events_api.board_permission_created_event(created_board.id, user_id,
edit.id, edit.codename,
event_owners)
events_api.board_permission_created_event(created_board.id, user_id,
move.id, move.codename,
event_users)
return wmodels.Board.from_db_model(created_board)
def put(self, user_id, user):
"""Modify this user.
:param user_id: Unique id to identify the user.
:param user: A user within the request body.
"""
current_user = users_api.user_get(request.current_user_id)
# Only owners and superadmins are allowed to modify users.
if request.current_user_id != user_id \
and not current_user.is_superuser:
abort(403, _("You are not allowed to update this user."))
# Strip out values that you're not allowed to change.
user_dict = user.as_dict(omit_unset=True)
if not current_user.is_superuser:
# Only superuser may create superusers or modify login permissions.
if 'enable_login' in six.iterkeys(user_dict):
del user_dict['enable_login']
if 'is_superuser' in six.iterkeys(user_dict):
del user_dict['is_superuser']
updated_user = users_api.user_update(user_id, user_dict)
return wmodels.User.from_db_model(updated_user)
def get_all(title=None, creator_id=None, user_id=None, project_id=None,
task_id=None, story_id=None, sort_field=None, sort_dir=None,
**kwargs):
if user_id is not None:
user = users_api.user_get(user_id)
boards = []
for board in get_all():
if any(permission in board.permissions
for permission in user.permissions):
boards.append(board)
return boards
boards = api_base.entity_get_all(models.Board,
title=title,
creator_id=creator_id,
project_id=project_id,
sort_field=sort_field,
sort_dir=sort_dir,
**kwargs)
if task_id:
matching = []
for board in boards:
if has_card(board, 'task', task_id):
matching.append(board)
boards = matching
if story_id:
matching = []
for board in boards:
if has_card(board, 'story', story_id):
matching.append(board)
boards = matching
return boards
def put(self, user_id, user):
"""Modify this user.
:param user_id: Unique id to identify the user.
:param user: A user within the request body.
"""
current_user = users_api.user_get(request.current_user_id)
# Only owners and superadmins are allowed to modify users.
if request.current_user_id != user_id \
and not current_user.is_superuser:
abort(403, _("You are not allowed to update this user."))
# Strip out values that you're not allowed to change.
user_dict = user.as_dict(omit_unset=True)
if not current_user.is_superuser:
# Only superuser may create superusers or modify login permissions.
if 'enable_login' in six.iterkeys(user_dict):
del user_dict['enable_login']
if 'is_superuser' in six.iterkeys(user_dict):
del user_dict['is_superuser']
updated_user = users_api.user_update(user_id, user_dict)
return wmodels.User.from_db_model(updated_user)
def team_delete_user(team_id, user_id):
session = api_base.get_session()
with session.begin(subtransactions=True):
team = _entity_get(team_id, session)
if team is None:
raise exc.NotFound(_("Team %s not found") % team_id)
user = users.user_get(user_id)
if user is None:
raise exc.NotFound(_("User %s not found") % user_id)
if user_id not in [u.id for u in team.users]:
raise ClientSideError(
_("The User %(user_id)d is not in "
"Team %(team_id)d") % {
'user_id': user_id,
'team_id': team_id
})
user_entry = [u for u in team.users if u.id == user_id][0]
team.users.remove(user_entry)
session.add(team)
return team
def get(self, marker=None, limit=None, full_name=None,
sort_field='id', sort_dir='asc'):
"""Page and filter the users in storyboard.
:param marker: The resource id where the page should begin.
:param limit: The number of users to retrieve.
:param username: A string of characters to filter the username with.
:param full_name: A string of characters to filter the full_name with.
:param sort_field: The name of the field to sort on.
:param sort_dir: Sort direction for results (asc, desc).
"""
# Boundary check on limit.
if limit is not None:
limit = max(0, limit)
# Resolve the marker record.
marker_user = users_api.user_get(marker)
users = users_api.user_get_all(marker=marker_user, limit=limit,
full_name=full_name,
filter_non_public=True,
sort_field=sort_field,
sort_dir=sort_dir)
user_count = users_api.user_get_count(full_name=full_name)
# Apply the query response headers.
if limit:
response.headers['X-Limit'] = str(limit)
response.headers['X-Total'] = str(user_count)
if marker_user:
response.headers['X-Marker'] = str(marker_user.id)
return [wmodels.User.from_db_model(u) for u in users]
def post(self, story):
"""Create a new story.
Example::
curl 'https://my.example.org/api/v1/stories' \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"title":"Test Story","description":"A test story."}'
:param story: A story within the request body.
"""
# Reject private story types while ACL is not created.
if (story.story_type_id and
(story.story_type_id == 3 or story.story_type_id == 4)):
abort(400, _("Now you can't add story with type %s.") %
story.story_type_id)
story_dict = story.as_dict()
user_id = request.current_user_id
if story.creator_id and story.creator_id != user_id:
abort(400, _("You can't select author of story."))
story_dict.update({"creator_id": user_id})
if not stories_api.story_can_create_story(story.story_type_id):
abort(400, _("Can't create story of this type."))
if "tags" not in story_dict or not story_dict["tags"]:
story_dict["tags"] = []
# We can't set due dates when creating stories at the moment.
if "due_dates" in story_dict:
del story_dict['due_dates']
users = None
teams = None
# We make sure that a user cannot remove all users and teams
# from the permissions list for a story
# This should be reworked so that users can be removed if there
# are teams, and vice versa
if "teams" in story_dict:
teams = story_dict.pop("teams")
if teams is None:
teams = []
if "users" in story_dict:
users = story_dict.pop("users")
if users is None or (users == [] and teams == []):
users = [wmodels.User.from_db_model(users_api.user_get(user_id))]
created_story = stories_api.story_create(story_dict)
events_api.story_created_event(created_story.id, user_id, story.title)
if story.private:
stories_api.create_permission(created_story, users, teams)
return wmodels.Story.from_db_model(created_story)
def get_permissions(worklist, user_id):
user = users_api.user_get(user_id)
if user is not None:
return [
permission.codename for permission in worklist.permissions
if permission in user.permissions
]
return []
def get_permissions(due_date, user_id):
user = users_api.user_get(user_id)
if user is not None:
return [
permission.codename for permission in due_date.permissions
if permission in user.permissions
]
return []
def get_permissions(board, user_id):
user = users_api.user_get(user_id)
if user is not None:
return [
permission.codename for permission in board.permissions
if permission in user.permissions
]
return []
def get(self,
marker=None,
limit=None,
target_type=None,
target_id=None,
user_id=None,
sort_field='id',
sort_dir='asc'):
"""Retrieve a list of subscriptions for the authorized user.
Example::
curl https://my.example.org/api/v1/subscriptions \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN'
:param marker: The resource id where the page should begin.
:param limit: The number of subscriptions to retrieve.
:param target_type: The type of resource to search by.
:param target_id: The unique ID of the resource to search by.
:param user_id: The unique ID of the user to search by.
:param sort_field: The name of the field to sort on.
:param sort_dir: Sort direction for results (asc, desc).
"""
# Boundary check on limit.
if limit is not None:
limit = max(0, limit)
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if user_id != request.current_user_id \
and not current_user.is_superuser:
user_id = request.current_user_id
# Resolve the marker record.
marker_sub = subscription_api.subscription_get(marker)
subscriptions = subscription_api.subscription_get_all(
marker=marker_sub,
limit=limit,
target_type=target_type,
target_id=target_id,
user_id=user_id,
sort_field=sort_field,
sort_dir=sort_dir)
subscription_count = subscription_api.subscription_get_count(
target_type=target_type, target_id=target_id, user_id=user_id)
# Apply the query response headers.
if limit:
response.headers['X-Limit'] = str(limit)
response.headers['X-Total'] = str(subscription_count)
if marker_sub:
response.headers['X-Marker'] = str(marker_sub.id)
return [Subscription.from_db_model(s) for s in subscriptions]
def get(self,
marker=None,
offset=None,
limit=None,
event_type=None,
subscriber_id=None,
sort_field='id',
sort_dir='asc'):
"""Retrieve a list of subscriptions.
:param marker: The resource id where the page should begin.
:param offset: The offset to begin the page at.
:param limit: The number of subscriptions to retrieve.
:param event_type: The type of resource to search by.
:param subscriber_id: The unique ID of the subscriber to search by.
:param sort_field: The name of the field to sort on.
:param sort_dir: Sort direction for results (asc, desc).
"""
# Boundary check on limit.
if limit is not None:
limit = max(0, limit)
# Resolve the marker record.
marker_sub = subscription_events_api.subscription_events_get(marker)
current_user = user_api.user_get(request.current_user_id)
if current_user.id != subscriber_id and \
not current_user.is_superuser:
abort(403, _("Permission Denied"))
if marker_sub and marker_sub.user_id != subscriber_id:
marker_sub = None
subscriptions = subscription_events_api.subscription_events_get_all(
marker=marker_sub,
offset=offset,
limit=limit,
subscriber_id=subscriber_id,
event_type=event_type,
sort_field=sort_field,
sort_dir=sort_dir)
subscription_count = \
subscription_events_api.subscription_events_get_count(
subscriber_id=subscriber_id,
event_type=event_type)
# Apply the query response headers.
if limit:
response.headers['X-Limit'] = str(limit)
if offset is not None:
response.headers['X-Offset'] = str(offset)
response.headers['X-Total'] = str(subscription_count)
if marker_sub:
response.headers['X-Marker'] = str(marker_sub.id)
return [SubscriptionEvent.from_db_model(s) for s in subscriptions]
def create_permission(due_date_id, permission_dict, session=None):
due_date = _due_date_get(due_date_id, session=session)
users = permission_dict.pop('users')
permission = api_base.entity_create(
models.Permission, permission_dict, session=session)
due_date.permissions.append(permission)
for user_id in users:
user = users_api.user_get(user_id, session=session)
user.permissions.append(permission)
return permission
def create_permission(due_date_id, permission_dict, session=None):
due_date = _due_date_get(due_date_id, session=session)
users = permission_dict.pop('users')
permission = api_base.entity_create(
models.Permission, permission_dict, session=session)
due_date.permissions.append(permission)
for user_id in users:
user = users_api.user_get(user_id, session=session)
user.permissions.append(permission)
return permission
def create_permission(worklist_id, permission_dict, session=None):
worklist = _worklist_get(worklist_id, session=session)
users = permission_dict.pop('users')
permission = api_base.entity_create(
models.Permission, permission_dict, session=session)
worklist.permissions.append(permission)
for user_id in users:
user = users_api.user_get(user_id, session=session)
user.permissions.append(permission)
return permission
def create_permission(board_id, permission_dict, session=None):
board = _board_get(board_id, session=session)
users = permission_dict.pop('users')
permission = api_base.entity_create(
models.Permission, permission_dict, session=session)
board.permissions.append(permission)
for user_id in users:
user = users_api.user_get(user_id, session=session)
user.permissions.append(permission)
return permission
def create_permission(board_id, permission_dict, session=None):
board = _board_get(board_id, session=session)
users = permission_dict.pop('users')
permission = api_base.entity_create(
models.Permission, permission_dict, session=session)
board.permissions.append(permission)
for user_id in users:
user = users_api.user_get(user_id, session=session)
user.permissions.append(permission)
return permission
def create_permission(worklist_id, permission_dict, session=None):
worklist = _worklist_get(worklist_id, session=session)
users = permission_dict.pop('users')
permission = api_base.entity_create(
models.Permission, permission_dict, session=session)
worklist.permissions.append(permission)
for user_id in users:
user = users_api.user_get(user_id, session=session)
user.permissions.append(permission)
return permission
def put(self, team_id, user_id):
"""Add a user to a team.
:param team_id: An ID of the team.
:param user_id: An ID of the user.
"""
teams_api.team_add_user(team_id, user_id)
user = users_api.user_get(user_id)
return wmodels.User.from_db_model(user)
def put(self, team_id, user_id):
"""Add a user to a team.
:param team_id: An ID of the team.
:param user_id: An ID of the user.
"""
teams_api.team_add_user(team_id, user_id)
user = users_api.user_get(user_id)
return wmodels.User.from_db_model(user)
def task_assignee_changed(event):
event_info = json.loads(event.event_info)
old_assignee_id = event_info["old_assignee_id"]
old_assignee = users_api.user_get(old_assignee_id)
if old_assignee:
old_fullname = old_assignee.full_name
else:
old_fullname = "unassigned"
event_info["old_assignee_fullname"] = old_fullname
new_assignee_id = event_info["new_assignee_id"]
new_assignee = users_api.user_get(new_assignee_id)
if new_assignee:
new_fullname = new_assignee.full_name
else:
new_fullname = "unassigned"
event_info["new_assignee_fullname"] = new_fullname
event.event_info = json.dumps(event_info)
return event
def get(self, marker=None, limit=None, target_type=None, target_id=None,
user_id=None, sort_field='id', sort_dir='asc'):
"""Retrieve a list of subscriptions for the authorized user.
Example::
curl https://my.example.org/api/v1/subscriptions \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN'
:param marker: The resource id where the page should begin.
:param limit: The number of subscriptions to retrieve.
:param target_type: The type of resource to search by.
:param target_id: The unique ID of the resource to search by.
:param user_id: The unique ID of the user to search by.
:param sort_field: The name of the field to sort on.
:param sort_dir: Sort direction for results (asc, desc).
"""
# Boundary check on limit.
if limit is not None:
limit = max(0, limit)
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if user_id != request.current_user_id \
and not current_user.is_superuser:
user_id = request.current_user_id
# Resolve the marker record.
marker_sub = subscription_api.subscription_get(marker)
subscriptions = subscription_api.subscription_get_all(
marker=marker_sub,
limit=limit,
target_type=target_type,
target_id=target_id,
user_id=user_id,
sort_field=sort_field,
sort_dir=sort_dir)
subscription_count = subscription_api.subscription_get_count(
target_type=target_type,
target_id=target_id,
user_id=user_id)
# Apply the query response headers.
if limit:
response.headers['X-Limit'] = str(limit)
response.headers['X-Total'] = str(subscription_count)
if marker_sub:
response.headers['X-Marker'] = str(marker_sub.id)
return [Subscription.from_db_model(s) for s in subscriptions]
def post(self, subscription):
"""Create a new subscription.
Note: target_id is the same value as the story_id of a story.
Example::
curl https://my.example.org/api/v1/subscriptions \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"target_type":"story","target_id":8}'
:param subscription: A subscription within the request body.
"""
# Data sanity check - are all fields set?
if not subscription.target_type or not subscription.target_id:
abort(
400,
_('You are missing either the target_type or the'
' target_id'))
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if not subscription.user_id:
subscription.user_id = request.current_user_id
elif subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You can only subscribe to resources on your own."))
# Data sanity check: The resource must exist.
resource = subscription_api.subscription_get_resource(
target_type=subscription.target_type,
target_id=subscription.target_id,
current_user=request.current_user_id)
if not resource:
abort(400, _('You cannot subscribe to a nonexistent resource.'))
# Data sanity check: The subscription cannot be duplicated for this
# user.
existing = subscription_api.subscription_get_all(
target_type=[
subscription.target_type,
],
target_id=subscription.target_id,
user_id=subscription.user_id)
if existing:
abort(409, _('You are already subscribed to this resource.'))
result = subscription_api.subscription_create(subscription.as_dict())
return Subscription.from_db_model(result)
def get(self, marker=None, offset=None, limit=None, full_name=None,
email=None, openid=None, sort_field='id', sort_dir='asc'):
"""Page and filter the users in storyboard.
Example::
curl https://my.example.org/api/v1/users
:param marker: The resource id where the page should begin.
:param offset: The offset to start the page at.
:param limit: The number of users to retrieve.
:param full_name: A string of characters to filter the full_name with.
:param email: A string of characters to filter the email with.
:param openid: A string of characters to filter the openid with.
:param sort_field: The name of the field to sort on.
:param sort_dir: Sort direction for results (asc, desc).
"""
# Boundary check on limit.
if limit is not None:
limit = max(0, limit)
# Resolve the marker record.
marker_user = None
if marker is not None:
marker_user = users_api.user_get(marker)
users = users_api.user_get_all(marker=marker_user,
offset=offset,
limit=limit,
full_name=full_name,
email=email,
openid=openid,
filter_non_public=True,
sort_field=sort_field,
sort_dir=sort_dir)
user_count = users_api.user_get_count(full_name=full_name,
email=email,
openid=openid)
# Apply the query response headers.
if limit:
response.headers['X-Limit'] = str(limit)
response.headers['X-Total'] = str(user_count)
if marker_user:
response.headers['X-Marker'] = str(marker_user.id)
if offset is not None:
response.headers['X-Offset'] = str(offset)
return [wmodels.User.from_db_model(u) for u in users]
def get_one(self, subscription_id):
"""Retrieve a specific subscription record.
:param subscription_id: The unique id of this subscription.
"""
subscription = subscription_api.subscription_get(subscription_id)
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You do not have access to this record."))
return Subscription.from_db_model(subscription)
def get_one(self, subscription_event_id):
"""Retrieve a specific subscription record.
:param subscription_event_id: The unique id of this subscription.
"""
subscription_event = subscription_events_api \
.subscription_events_get(subscription_event_id)
current_user = user_api.user_get(request.current_user_id)
if current_user.id != subscription_event.subscriber_id and \
not current_user.is_superuser:
abort(403, _("Permission Denied"))
return SubscriptionEvent.from_db_model(subscription_event)
def get_one(self, user_id):
"""Retrieve details about one user.
:param user_id: The unique id of this user
"""
filter_non_public = True
if user_id == request.current_user_id:
filter_non_public = False
user = users_api.user_get(user_id, filter_non_public)
if not user:
raise exc.NotFound(_("User %s not found") % user_id)
return user
def delete(self, subscription_id):
"""Delete a specific subscription.
:param subscription_id: The unique id of the subscription to delete.
"""
subscription = subscription_api.subscription_get(subscription_id)
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You can only remove your own subscriptions."))
subscription_api.subscription_delete(subscription_id)
def get_one(self, user_id):
"""Retrieve details about one user.
:param user_id: The unique id of this user
"""
filter_non_public = True
if user_id == request.current_user_id:
filter_non_public = False
user = users_api.user_get(user_id, filter_non_public)
if not user:
raise exc.NotFound(_("User %s not found") % user_id)
return user
def create_permission(story, users, session=None):
story = api_base.model_query(models.Story, session) \
.options(subqueryload(models.Story.tags)) \
.filter_by(id=story.id).first()
permission_dict = {
'name': 'view_story_%d' % story.id,
'codename': 'view_story'
}
permission = api_base.entity_create(models.Permission, permission_dict)
story.permissions.append(permission)
for user in users:
user = users_api.user_get(user.id)
user.permissions.append(permission)
return permission
def create_permission(story, users, session=None):
story = api_base.model_query(models.Story, session) \
.options(subqueryload(models.Story.tags)) \
.filter_by(id=story.id).first()
permission_dict = {
'name': 'view_story_%d' % story.id,
'codename': 'view_story'
}
permission = api_base.entity_create(models.Permission, permission_dict)
story.permissions.append(permission)
for user in users:
user = users_api.user_get(user.id)
user.permissions.append(permission)
return permission
def get_one(self, subscription_id):
"""Retrieve a specific subscription record.
:param subscription_id: The unique id of this subscription.
"""
subscription = subscription_api.subscription_get(subscription_id)
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You do not have access to this record."))
return Subscription.from_db_model(subscription)
def delete(self, subscription_id):
"""Delete a specific subscription.
:param subscription_id: The unique id of the subscription to delete.
"""
subscription = subscription_api.subscription_get(subscription_id)
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You can only remove your own subscriptions."))
subscription_api.subscription_delete(subscription_id)
def get(self, marker=None, offset=None, limit=None, event_type=None,
subscriber_id=None, sort_field='id', sort_dir='asc'):
"""Retrieve a list of subscriptions.
:param marker: The resource id where the page should begin.
:param offset: The offset to begin the page at.
:param limit: The number of subscriptions to retrieve.
:param event_type: The type of resource to search by.
:param subscriber_id: The unique ID of the subscriber to search by.
:param sort_field: The name of the field to sort on.
:param sort_dir: Sort direction for results (asc, desc).
"""
# Boundary check on limit.
if limit is not None:
limit = max(0, limit)
# Resolve the marker record.
marker_sub = subscription_events_api.subscription_events_get(marker)
current_user = user_api.user_get(request.current_user_id)
if current_user.id != subscriber_id and \
not current_user.is_superuser:
abort(403, _("Permission Denied"))
if marker_sub and marker_sub.user_id != subscriber_id:
marker_sub = None
subscriptions = subscription_events_api.subscription_events_get_all(
marker=marker_sub,
offset=offset,
limit=limit,
subscriber_id=subscriber_id,
event_type=event_type,
sort_field=sort_field,
sort_dir=sort_dir)
subscription_count = \
subscription_events_api.subscription_events_get_count(
subscriber_id=subscriber_id,
event_type=event_type)
# Apply the query response headers.
if limit:
response.headers['X-Limit'] = str(limit)
if offset is not None:
response.headers['X-Offset'] = str(offset)
response.headers['X-Total'] = str(subscription_count)
if marker_sub:
response.headers['X-Marker'] = str(marker_sub.id)
return [SubscriptionEvent.from_db_model(s) for s in subscriptions]
def get_one(self, subscription_event_id):
"""Retrieve a specific subscription record.
:param subscription_event_id: The unique id of this subscription.
"""
subscription_event = subscription_events_api \
.subscription_events_get(subscription_event_id)
current_user = user_api.user_get(request.current_user_id)
if current_user.id != subscription_event.subscriber_id and \
not current_user.is_superuser:
abort(403, _("Permission Denied"))
return SubscriptionEvent.from_db_model(subscription_event)
def update_permission(story, users, session=None):
story = api_base.model_query(models.Story, session) \
.options(subqueryload(models.Story.tags)) \
.filter_by(id=story.id).first()
if not story.permissions:
raise exc.NotFound(_("Permissions for story %d not found.") % story.id)
permission = story.permissions[0]
permission_dict = {
'name': permission.name,
'codename': permission.codename,
'users': [users_api.user_get(user.id) for user in users]
}
return api_base.entity_update(models.Permission, permission.id,
permission_dict)
def put(self, team_id, user_id):
"""Add a user to a team.
Example::
TODO
:param team_id: An ID of the team.
:param user_id: An ID of the user.
"""
teams_api.team_add_user(team_id, user_id)
user = users_api.user_get(user_id)
user = api_base._filter_non_public_fields(user, user._public_fields)
return wmodels.User.from_db_model(user)
def delete(self, subscription_event_id):
"""Delete a specific subscription.
:param subscription_event_id: The unique id of the
subscription_event to delete.
"""
subscription_event = subscription_events_api \
.subscription_events_get(subscription_event_id)
current_user = user_api.user_get(request.current_user_id)
if current_user.id != subscription_event.subscriber_id and \
not current_user.is_superuser:
abort(403, _("Permission Denied"))
subscription_events_api.subscription_events_delete(
subscription_event_id)
def update_permission(due_date_id, permission_dict):
due_date = _due_date_get(due_date_id)
id = None
for permission in due_date.permissions:
if permission.codename == permission_dict['codename']:
id = permission.id
users = permission_dict.pop('users')
permission_dict['users'] = []
for user_id in users:
user = users_api.user_get(user_id)
permission_dict['users'].append(user)
if id is None:
raise ClientSideError(_("Permission %s does not exist")
% permission_dict['codename'])
return api_base.entity_update(models.Permission, id, permission_dict)
def update_permission(due_date_id, permission_dict):
due_date = _due_date_get(due_date_id)
id = None
for permission in due_date.permissions:
if permission.codename == permission_dict['codename']:
id = permission.id
users = permission_dict.pop('users')
permission_dict['users'] = []
for user_id in users:
user = users_api.user_get(user_id)
permission_dict['users'].append(user)
if id is None:
raise ClientSideError(_("Permission %s does not exist")
% permission_dict['codename'])
return api_base.entity_update(models.Permission, id, permission_dict)
def delete(self, subscription_event_id):
"""Delete a specific subscription.
:param subscription_event_id: The unique id of the
subscription_event to delete.
"""
subscription_event = subscription_events_api \
.subscription_events_get(subscription_event_id)
current_user = user_api.user_get(request.current_user_id)
if current_user.id != subscription_event.subscriber_id and \
not current_user.is_superuser:
abort(403, _("Permission Denied"))
subscription_events_api.subscription_events_delete(
subscription_event_id)
def put(self, team_id, user_id):
"""Add a user to a team.
Example::
TODO
:param team_id: An ID of the team.
:param user_id: An ID of the user.
"""
teams_api.team_add_user(team_id, user_id)
user = users_api.user_get(user_id)
user = api_base._filter_non_public_fields(user, user._public_fields)
return wmodels.User.from_db_model(user)
def post(self, subscription):
"""Create a new subscription.
Note: target_id is the same value as the story_id of a story.
Example::
curl https://my.example.org/api/v1/subscriptions \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN' \\
-H 'Content-Type: application/json;charset=UTF-8' \\
--data-binary '{"target_type":"story","target_id":8}'
:param subscription: A subscription within the request body.
"""
# Data sanity check - are all fields set?
if not subscription.target_type or not subscription.target_id:
abort(400, _('You are missing either the target_type or the'
' target_id'))
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if not subscription.user_id:
subscription.user_id = request.current_user_id
elif subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You can only subscribe to resources on your own."))
# Data sanity check: The resource must exist.
resource = subscription_api.subscription_get_resource(
target_type=subscription.target_type,
target_id=subscription.target_id,
current_user=request.current_user_id)
if not resource:
abort(400, _('You cannot subscribe to a nonexistent resource.'))
# Data sanity check: The subscription cannot be duplicated for this
# user.
existing = subscription_api.subscription_get_all(
target_type=[subscription.target_type, ],
target_id=subscription.target_id,
user_id=subscription.user_id)
if existing:
abort(409, _('You are already subscribed to this resource.'))
result = subscription_api.subscription_create(subscription.as_dict())
return Subscription.from_db_model(result)
def superuser():
token = _get_token()
if not token:
return False
token = token_api.access_token_get_by_token(token)
if not token:
return False
user = user_api.user_get(token.user_id)
if not user.is_superuser:
abort(403, _("This action is limited to superusers only."))
return user.is_superuser
def self(self):
"""Return the currently logged in user
Example::
curl https://my.example.org/api/v1/users/self \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN'
:return: The User record for the current user.
"""
user = users_api.user_get(request.current_user_id,
filter_non_public=False)
if not user:
raise exc.NotFound(_("User %s not found") %
request.current_user_id)
return user
def update_permission(story, users, session=None):
story = api_base.model_query(models.Story, session) \
.options(subqueryload(models.Story.tags)) \
.filter_by(id=story.id).first()
if not story.permissions:
raise exc.NotFound(_("Permissions for story %d not found.")
% story.id)
permission = story.permissions[0]
permission_dict = {
'name': permission.name,
'codename': permission.codename,
'users': [users_api.user_get(user.id) for user in users]
}
return api_base.entity_update(models.Permission,
permission.id,
permission_dict)
def post(self, story):
"""Create a new story.
:param story: A story within the request body.
"""
# Reject private story types while ACL is not created.
if (story.story_type_id
and (story.story_type_id == 3 or story.story_type_id == 4)):
abort(
400,
_("Now you can't add story with type %s.") %
story.story_type_id)
story_dict = story.as_dict()
user_id = request.current_user_id
if story.creator_id and story.creator_id != user_id:
abort(400, _("You can't select author of story."))
story_dict.update({"creator_id": user_id})
if not stories_api.story_can_create_story(story.story_type_id):
abort(400, _("Can't create story of this type."))
if not "tags" in story_dict or not story_dict["tags"]:
story_dict["tags"] = []
# We can't set due dates when creating stories at the moment.
if "due_dates" in story_dict:
del story_dict['due_dates']
users = []
if "users" in story_dict:
users = story_dict.pop("users")
if users is None:
users = [wmodels.User.from_db_model(users_api.user_get(user_id))]
created_story = stories_api.story_create(story_dict)
events_api.story_created_event(created_story.id, user_id, story.title)
if story.private:
stories_api.create_permission(created_story, users)
return wmodels.Story.from_db_model(created_story)
def get_one(self, subscription_id):
"""Retrieve a specific subscription record.
Example::
curl https://my.example.org/api/v1/subscriptions/4 \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN'
:param subscription_id: The unique id of this subscription.
"""
subscription = subscription_api.subscription_get(subscription_id)
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You do not have access to this record."))
return Subscription.from_db_model(subscription)
def delete(self, subscription_id):
"""Delete a specific subscription.
Example::
curl https://my.example.org/api/v1/subscriptions/10 -X DELETE \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN'
:param subscription_id: The unique id of the subscription to delete.
"""
subscription = subscription_api.subscription_get(subscription_id)
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You can only remove your own subscriptions."))
subscription_api.subscription_delete(subscription_id)
def _assert_can_access(self, user_id, token_entity=None):
current_user = user_api.user_get(request.current_user_id)
if not user_id:
abort(400, _("user_id is missing."))
# The user must be logged in.
if not current_user:
abort(401, _("You must log in to do this."))
# If the impacted user is not the current user, the current user must
# be an admin.
if not current_user.is_superuser and current_user.id != user_id:
abort(403, _("You are not admin and can't do this."))
# The path-based impacted user and the user found in the entity must
# be identical. No PUT /users/1/tokens { user_id: 2 }
if token_entity and token_entity.user_id != user_id:
abort(403, _("token_entity.user_id or user_id is wrong."))
def post(self, subscription):
"""Create a new subscription.
:param subscription: A subscription within the request body.
"""
# Data sanity check - are all fields set?
if not subscription.target_type or not subscription.target_id:
abort(
400,
_('You are missing either the target_type or the'
' target_id'))
# Sanity check on user_id
current_user = user_api.user_get(request.current_user_id)
if not subscription.user_id:
subscription.user_id = request.current_user_id
elif subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You can only subscribe to resources on your own."))
# Data sanity check: The resource must exist.
resource = subscription_api.subscription_get_resource(
target_type=subscription.target_type,
target_id=subscription.target_id,
current_user=request.current_user_id)
if not resource:
abort(400, _('You cannot subscribe to a nonexistent resource.'))
# Data sanity check: The subscription cannot be duplicated for this
# user.
existing = subscription_api.subscription_get_all(
target_type=[
subscription.target_type,
],
target_id=subscription.target_id,
user_id=subscription.user_id)
if existing:
abort(409, _('You are already subscribed to this resource.'))
result = subscription_api.subscription_create(subscription.as_dict())
return Subscription.from_db_model(result)
def _assert_can_access(self, user_id, token_entity=None):
current_user = user_api.user_get(request.current_user_id)
if not user_id:
abort(400, _("user_id is missing."))
# The user must be logged in.
if not current_user:
abort(401, _("You must log in to do this."))
# If the impacted user is not the current user, the current user must
# be an admin.
if not current_user.is_superuser and current_user.id != user_id:
abort(403, _("You are not admin and can't do this."))
# The path-based impacted user and the user found in the entity must
# be identical. No PUT /users/1/tokens { user_id: 2 }
if token_entity and token_entity.user_id != user_id:
abort(403, _("token_entity.user_id or user_id is wrong."))
def post(self, story):
"""Create a new story.
:param story: A story within the request body.
"""
# Reject private story types while ACL is not created.
if (story.story_type_id and
(story.story_type_id == 3 or story.story_type_id == 4)):
abort(400, _("Now you can't add story with type %s.") %
story.story_type_id)
story_dict = story.as_dict()
user_id = request.current_user_id
if story.creator_id and story.creator_id != user_id:
abort(400, _("You can't select author of story."))
story_dict.update({"creator_id": user_id})
if not stories_api.story_can_create_story(story.story_type_id):
abort(400, _("Can't create story of this type."))
if not "tags" in story_dict or not story_dict["tags"]:
story_dict["tags"] = []
# We can't set due dates when creating stories at the moment.
if "due_dates" in story_dict:
del story_dict['due_dates']
users = []
if "users" in story_dict:
users = story_dict.pop("users")
if users is None:
users = [wmodels.User.from_db_model(users_api.user_get(user_id))]
created_story = stories_api.story_create(story_dict)
events_api.story_created_event(created_story.id, user_id, story.title)
if story.private:
stories_api.create_permission(created_story, users)
return wmodels.Story.from_db_model(created_story)
def get_one(self, subscription_id):
"""Retrieve a specific subscription record.
Example::
curl https://my.example.org/api/v1/subscriptions/4 \\
-H 'Authorization: Bearer MY_ACCESS_TOKEN'
:param subscription_id: The unique id of this subscription.
"""
subscription = subscription_api.subscription_get(subscription_id)
current_user = user_api.user_get(request.current_user_id)
if subscription.user_id != request.current_user_id \
and not current_user.is_superuser:
abort(403, _("You do not have access to this record."))
return Subscription.from_db_model(subscription)
def team_add_user(team_id, user_id):
session = api_base.get_session()
with session.begin(subtransactions=True):
team = _entity_get(team_id, session)
if team is None:
raise exc.NotFound(_("Team %s not found") % team_id)
user = users.user_get(user_id)
if user is None:
raise exc.NotFound(_("User %s not found") % user_id)
if user_id in [u.id for u in team.users]:
raise ClientSideError(_("The User %(user_id)d is already "
"in Team %(team_id)d") %
{'user_id': user_id, 'team_id': team_id})
team.users.append(user)
session.add(team)
return team
def team_delete_user(team_id, user_id):
session = api_base.get_session()
with session.begin(subtransactions=True):
team = _entity_get(team_id, session)
if team is None:
raise exc.NotFound(_("Team %s not found") % team_id)
user = users.user_get(user_id)
if user is None:
raise exc.NotFound(_("User %s not found") % user_id)
if user_id not in [u.id for u in team.users]:
raise ClientSideError(_("The User %(user_id)d is not in "
"Team %(team_id)d") %
{'user_id': user_id, 'team_id': team_id})
user_entry = [u for u in team.users if u.id == user_id][0]
team.users.remove(user_entry)
session.add(team)
return team
